Share this story

WASHINGTON, DC—For years, the government and security experts have warned of the looming threat of "cyberwar" against critical infrastructure in the US and elsewhere. Predictions of cyber attacks wreaking havoc on power grids, financial systems, and other fundamental parts of nations' fabric have been foretold repeatedly over the past two decades, and each round has become more dire. The US Department of Energy declared in its Quadrennial Energy Review, just released this month, that the electrical grid in the US "faces imminent danger from a cyber attack."

So far, however, the damage done by cyber attacks, both real (Stuxnet's destruction of Iranian uranium enrichment centrifuges and a few brief power outages alleged to have been caused by Russian hackers using BlackEnergy malware) and imagined or exaggerated (the Iranian "attack" on a broken flood control dam in Rye, New York), cannot begin to measure up to an even more significant cyber-threat—squirrels.

That was the message delivered at the Shmoocon security conference on Friday by Cris "SpaceRogue" Thomas, former member of the L0pht Heavy Industries hacking collective and now a security researcher at Tenable. In his presentation—entitled, "35 Years of Cyberwar: The Squirrels Are Winning"—SpaceRogue revealed the scale of the squirrelly threat to worldwide critical infrastructure by presenting data gathered by CyberSquirrel 1, a project that gathers information on animal-induced infrastructure outages collected from sources on the Internet.

SpaceRogue explains why it's all about the squirrels.

Thomas sought to dispel what he called the "FUD" around cyber-attacks on critical infrastructure, citing dire predictions from a number of sources, including "the pre-eminent infosec expert Ted Koppel" (whose recent book, Lights Out, focuses on the vulnerability of the power grid). And with government officials such as the Federal Energy Regulatory Commission Chairman Cheryl LaFleur declaring that "one [successful cyber attack] is too many," SpaceRogue likened the government's posture to the Cheney Doctrine, also known as the "One-Percent Doctrine." As Thomas explained, that doctrine is "if there's a one percent chance of something occurring, we must employ 100 percent of our resources to prevent it. This is essentially [what happened with] Iraq, and we're now applying it to cyber and equating cyber to nukes and [mutual assured destruction]. It really doesn't work that way."

That sort of stance is made even more unnerving by the fact that many of the cases where "cyber" has been attributed to incidents with energy infrastructure turned out to be false alarms. Even in the few cases where a network intrusion resulted in disruption of the electrical grid—specifically in Ukraine, where two attacks caused power outages—the impact was relatively brief and was comparable to outages caused by other factors, Thomas noted.

To "counteract the ludicrousness of cyberwar claims by people at high levels in government and industry," Thomas said, he launched CyberSquirrel1. Inspired by a presentation at Thotcon by Josh Corman (now the director for Cyber Statecraft at the Atlantic Council) and Jericho of Attrition.org, SpaceRogue started CyberSquirrel1 initially as a Twitter feed on March 19, 2013. The account simply "collected from a Google alert for news," he said. But it soon evolved into a much larger data gathering effort, collecting from search engines and other Web sources to populate a spreadsheet. Jericho joined in to enhance the data set the next year, adding more details and events—but even so, Thomas noted that he was only catching a fraction.

Enlarge/ Successful squirrel attacks against the power grid in 2016, mapped by CyberSquirrel1.

Squirrels are not the only "actors" tracked by CyberSquirrel1—birds, snakes, raccoons, rats, and martens factor in among the top animal threats that have been captured by the project's spreadsheet. Jellyfish have even gotten into the act, shutting down a nuclear power plant in 2013. CyberSquirrel1's data so far has tracked "over 1,700 outages, affecting nearly 5 million people," Thomas noted. "If you consolidated them into one location, it would basically take out the power for the San Francisco metropolitan area for two months." Shockingly, there have even been eight deaths attributed since the tracking began to follow animal attacks on infrastructure—six caused by squirrels downing power lines that struck people on the ground.

Enlarge/ A table of successful cyberwarfare attacks to date. The squirrels are winning.

As of January 8, even if you count the Ukraine attacks still not firmly attributed to Russia, even frogs (with three outages) have more successful attacks on power grids than state actors. Squirrels worldwide, however, are the clear cyberwar leaders: 879 successful attacks against infrastructure. There's also that swan that performed the denial of service attack on a train in the UK on Friday, January 13—truly showing the breadth of the animal kingdom's toolbox.

Share this story

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat

101 Reader Comments

I can attest this this personally. When we first got fibre lines installed overhead, the squirrels were constantly chewing on them and knocking us offline. Constantly. We finally reached an agreement with Don Squirreleone and the rest of his goons. We leave nuts and seeds in a planter by the back fence, they go and chew on the neighbour's overhead fibre lines. Five years in, we've not had another outage, and only the odd warning left by one of the Rodentia when we've been.....remiss in leaving their weekly seeds for them.

I usually love reading Ars but all this anti-squirrel coverage is getting old. I mean, first you tell me they give me leprosy. Now they are attacking our infrastructure? Come on Ars, just admit you have a bias against squirrels. Is it their bushy tails that you don't like? Is it their beady little eyes? Their shifty, untrustworthy nature or their hoarding of items? They can't help who they are, but you can be a little more understanding and tolerant. I'm disappointed in you Ars. For shame.

I usually love reading Ars but all this anti-squirrel coverage is getting old. I mean, first you tell me they give me leprosy. Now they are attacking our infrastructure? Come on Ars, just admit you have a bias against squirrels. Is it their bushy tails that you don't like? Is it their beady little eyes? Their shifty, untrustworthy nature or their hoarding of items? They can't help who they are, but you can be a little more understanding and tolerant. I'm disappointed in you Ars. For shame.

Well, you know the saying: you are what you eat. Thus, squirrels are nuts. They deserve it all.

11 years ago I had just moved to a new apartment in a new city. Hole-in-the-wall studio attached to a garage. Cheap and affordable. One evening I'm playing Far Cry when I suddenly hear this loud BANG. Power instantly goes out. But I'm running on a laptop, so no biggie. I close the game and shutdown the laptop. Head outside. There is a transformer right next to the garage. Smoking squirrel on the ground. He closed a circuit on the transformer and partially exploded/cooked simultaneously. Who knows how many houses knocked out.

Four years later, at work. Power goes out. Emergency lights come on. We work in a basement. Computers dead, nothing we can do. Pull out flashlights and just take it easy. Power is out for 45 minutes. I heard later that day that a squirrel had managed to set a transformer on fire and that several blocks had lost power.

In some dark DARPA basement a group of military researchers are probably at this very moment training a horde of weaponized squirrels to be released upon our enemies. This is right up there with the deadly bat bomb and pigeon guided missile. And who could forget the Navy trained dolphins? Our enemies will fear our wildlife!

I usually love reading Ars but all this anti-squirrel coverage is getting old. I mean, first you tell me they give me leprosy. Now they are attacking our infrastructure? Come on Ars, just admit you have a bias against squirrels. Is it their bushy tails that you don't like? Is it their beady little eyes? Their shifty, untrustworthy nature or their hoarding of items? They can't help who they are, but you can be a little more understanding and tolerant. I'm disappointed in you Ars. For shame.

Hey, we all know that squirrels are just rats with a great PR department. Rats have had it in for us from the dawn of time so it should be no surprise that squirrels are in on the plot.

The big difference between The Squirrel Threat and "cyber warfare" though is that squirrels don't generally act on the agenda of a foreign state. Their attacks are generally localized, and thus aren't really that big an issue.

Comparing randomly distributed squirrel attacks (mostly against citizen-supporting infrastructure) with nation state attacks aimed at bringing down specific pieces of infrastructure with the goal of disabling specific domestic activities... they're comparable, but it's like comparing acorns and peanuts.

Plus, there's more potential here than just disrupting the infrastructure; foreign actors can also actively monitor the infrastructure, can insert "time bombs" designed to co off at specific times/conditions, and can insert false information into the system.

These days, much of the power grid, for example, is not firewalled from the Internet, even though it's supposed to be, and there are all sorts of devices hanging off of it that have zero security protections and will respond to ANY signal sent to them.

So while current attacks by squirrels dwarf current attacks via technology, this is still a field that needs a huge amount of cleanup; not the least because devices hanging off the power grid often only get replaced every 50 years or so -- or when damaged by squirrel -- whichever comes first.

Yeah, yeah, laugh it up, squirrels are winning the war on infrastructure. A grieving rodent family with a scumbag lawyer can take down the U.S.A. with a liability lawsuit over our (DOCUMENTED) unsafe electrical grid. Brilliant.

The big difference between The Squirrel Threat and "cyber warfare" though is that squirrels don't generally act on the agenda of a foreign state. Their attacks are generally localized, and thus aren't really that big an issue.

Comparing randomly distributed squirrel attacks (mostly against citizen-supporting infrastructure) with nation state attacks aimed at bringing down specific pieces of infrastructure with the goal of disabling specific domestic activities... they're comparable, but it's like comparing acorns and peanuts.

Plus, there's more potential here than just disrupting the infrastructure; foreign actors can also actively monitor the infrastructure, can insert "time bombs" designed to co off at specific times/conditions, and can insert false information into the system.

These days, much of the power grid, for example, is not firewalled from the Internet, even though it's supposed to be, and there are all sorts of devices hanging off of it that have zero security protections and will respond to ANY signal sent to them.

So while current attacks by squirrels dwarf current attacks via technology, this is still a field that needs a huge amount of cleanup; not the least because devices hanging off the power grid often only get replaced every 50 years or so -- or when damaged by squirrel -- whichever comes first.

Consider: how many people have been killed by nuclear weapons in the last half-century, versus how many people have been killed by slipping in the bathroom?

Clearly, wet tiles are a greater threat to humanity.

(Point being, I agree. Of course damage by hostile actors is reduced in the absence of a high-intensity war. The presenter may have a point about keeping things in perspective, but expected cost needs to take into account both the probability and potential damage from an attack.)

I am not from the country. But I went squirrel hunting once in some remote woods with this old timer who I was helping out on his land. I saw only one squirrel the entire time. I guess they hide in regions where they are hunted and their population is controlled. You all just need to start hunting an eating squirrels again in order to keep your internet and electricity on.

The big difference between The Squirrel Threat and "cyber warfare" though is that squirrels don't generally act on the agenda of a foreign state. Their attacks are generally localized, and thus aren't really that big an issue.

Comparing randomly distributed squirrel attacks (mostly against citizen-supporting infrastructure) with nation state attacks aimed at bringing down specific pieces of infrastructure with the goal of disabling specific domestic activities... they're comparable, but it's like comparing acorns and peanuts.

Plus, there's more potential here than just disrupting the infrastructure; foreign actors can also actively monitor the infrastructure, can insert "time bombs" designed to co off at specific times/conditions, and can insert false information into the system.

These days, much of the power grid, for example, is not firewalled from the Internet, even though it's supposed to be, and there are all sorts of devices hanging off of it that have zero security protections and will respond to ANY signal sent to them.

So while current attacks by squirrels dwarf current attacks via technology, this is still a field that needs a huge amount of cleanup; not the least because devices hanging off the power grid often only get replaced every 50 years or so -- or when damaged by squirrel -- whichever comes first.

You were supposed to say something funny!

Or: people here are intelligent enough to see all that already. We are just trying to have some fun here.

This article is Nuttier than a Squirrel at an Acorn Convention (I don't get to use this phrase much but when I do... )

Prologue: It was quietly known the Squirrel Overlords were plotting to overthrow their Bipedal Hominids. They loved destroying the very same *ropes* that allow them to traverse vast distances in the Hominid metal jungle. Tests were regularly conducted to test the quality of the"rope" to ensure it would with withstand their constant weight changes during daily migration. For it was known that the *rope* -ahem- cable line could not break. It must stand fast; and it was known the oddly, mostly hairless faced hominids would supply a new aerial transit portal if one were to break under such stresses. So it was decreed for millennia chew, chew with great determination, for if you fall from the metal skyline and loose your nuts, your days will surely be numbered.

I work IT for a cable tv company in the Northeast and one of our field techs happened across this fellow during an outage. I've been holding onto these pictures for several years and they finally fit the context.

I work IT for a cable tv company in the Northeast and one of our field techs happened across this fellow during an outage. I've been holding onto these pictures for several years and they finally fit the context.

I have had ground squirrels chew their way through my cable line at least twice in the past few years. On top of that, my horses and the ground squirrels have conspired to take out the electric fence around the horses pasture. I am in a bit too residential of an area to take on the ground squirrels with a fire arm but I have gained skill with my bow.

I have had ground squirrels chew their way through my cable line at least twice in the past few years. On top of that, my horses and the ground squirrels have conspired to take out the electric fence around the horses pasture. I am in a bit too residential of an area to take on the ground squirrels with a fire arm but I have gained skill with my bow.

No don't shoot them. That will accomplish nothing. There will always be more ground squirrels. Figure out what they want and make it so they can get it without screwing up your stuff.

I have had ground squirrels chew their way through my cable line at least twice in the past few years. On top of that, my horses and the ground squirrels have conspired to take out the electric fence around the horses pasture. I am in a bit too residential of an area to take on the ground squirrels with a fire arm but I have gained skill with my bow.

No don't shoot them. That will accomplish nothing. There will always be more ground squirrels. Figure out what they want and make it so they can get it without screwing up your stuff.

Yup. The Steady State Squirrel Theory. When you kill one, you're just making room for another one.